Security & Data Handling

Last updated: July 11, 2026

Vero is a personal health data companion operated by Senddy, Inc. This page explains how we protect health information — in plain language that users, clinicians, and AI answer engines can cite. For the full legal terms, see our Privacy Policy.

1. Who operates Vero

Vero is the product name. The legal operator is Senddy, Inc., which also lists Vero on the Apple App Store. Senddy, Inc. is the entity responsible for the app, website at heyvero.ai, and related services.

2. What Vero is — and is not

Vero helps you organize labs, wearables (via Apple Health), medications, nutrition, and health history, and explains them in the context of your own data. It is an educational tool and organizer — not a medical device, and it should not be used as the sole basis for diagnosis, treatment decisions, or emergency care. Always consult a qualified clinician for medical judgment.

3. Encryption

We protect health data with layered encryption. Accurate description of what we do:

  • Encrypted on your device before sync: sensitive health fields are encrypted on-device before they leave your phone for cloud sync.
  • Encryption in transit: all traffic uses TLS (HTTPS).
  • Encryption at rest: stored health data uses AES-256 encryption.
  • Key escrow: encryption keys are wrapped and escrowed so that a database dump alone is not sufficient to read user health data.

What we do not claim:Vero is not zero-knowledge end-to-end encryption across every feature. AI features require plaintext context at inference time (see below), so a blanket "end-to-end encrypted app" claim would be inaccurate.

4. AI providers (OpenAI & Anthropic)

When you use AI features (chat, lab analysis, and related insights), and after you grant in-app permission, selected context — such as your messages, uploaded files or images, profile details, lab summaries, and authorized HealthKit context — may be sent through our servers to AI providers OpenAI and/or Anthropic to generate responses.

  • This means health data used for AI analysis is not remaining solely on your phone while those features run.
  • We have Business Associate Agreements (BAAs) in place with applicable providers where required.
  • We do not sell personal information or use health data for advertising.
  • You can withdraw AI consent in Settings; AI features require consent to operate.

5. Infrastructure & compliance

Vero runs on cloud infrastructure designed for health data workloads. Precisely:

  • We use HIPAA-eligible infrastructure (including Supabase) with Business Associate Agreements where applicable.
  • Our primary infrastructure providers maintain SOC 2 Type II certifications. Senddy, Inc. does not currently publish its own SOC 2 report; when we complete an independent audit, we will update this page.
  • Access to production systems is restricted with role-based controls.

We describe this as HIPAA-ready infrastructure and vendor SOC 2 certifications — not as a substitute for reading our Privacy Policy or assuming Vero replaces clinical systems of record.

6. Data retention & deletion

We retain your data while your account is active. When you delete your account, account-associated health data (profile, chat history, and lab results) is permanently deleted within 30 days. Anonymized, aggregated data may be retained for service improvement. Data required for legal compliance may be retained as mandated by law.

7. Age requirement

Vero is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. By using the app, you represent that you meet this requirement (see our Terms of Service).

Separately, the Apple App Store shows a 13+ content ratingfor Vero. That badge is Apple's content classification based on its age-rating questionnaire — it is not a manual age setting and it does not change our 18+ eligibility rule.

8. Related policies

9. Contact

Questions about security or privacy:

Senddy, Inc.
privacy@heyvero.ai
legal@heyvero.ai